Fri, 14 Sep 2001 08:33:28 -0500
"snortlst snortlst" <snortlst at ...125...> wrote:
> I have quite a standard setup:
> Firewall and external router connected to one hub.
> DMZ servers connected to another hub
> LAN is connected to the other hubs.
> Hub are interconnected.
By gateways ? It isn't clear.
>> What is the better place to plug the snort machine in my network?
It really depends what you expect to catch :
- Between router and firewall : bad external traffic coming on your network
- On your DMZ : bad traffic your firewall let come in
- On your local network : Policy enforcement, backdoor infected local systems, etc.
> It is a 100Mb network, should I really run snort in -b (bynary) mode in that envoronment?
Again, it depends on the network load, the CPU speed, the disk speed, the OS, the weather, etc.
'-b' beeing the fastest, you simply lower the risk of missing packets.
Hope this helps
F.